The keys to
tracking a spammer – at least the ones in the U.S. – are:
1) The spammer’s own website. Sometimes they actually give contact
information that’s legitimate.2) The WhoIs
lookup function on the domain registrars’ websites.3) The
store locator website for
The UPS Store (formerly Mailboxes Etc.) – Lots of spammers
register their business addresses at Commercial Mail Receiving Agencies. In
California, at least, anyone who takes out a private mailbox de facto agrees
that the operator of that mailbox is the Agent for Service of Process (Business
and Professions Code Section 17538.5). (As an aside – and I haven’t tested this –
Florida Title VI Civil Practice
and Procedure 48.181, paragraph 1, says that anyone who tries to conceal their
whereabouts constitutes an appointment of the Secretary of State for service of
process. So, I wonder if registering your business at a UPS Store mailbox
qualifies as trying to conceal…
)4) The Secretary of State websites.
Very useful information. Click
here for my list of all 50.
5) The registrars themselves! Don't you hate it when spammers use private
registration services to hide their true identity when registering domain
names that they use to send spam? It's a violation of federal law to
do this, 18 U.S.C. § 1037(a)(4), but then again, since when have spammers
been interested in following the law? I recently learned that under
the registrars' agreement with ICANN, if you present the registrar with
proof of "actionable harm" (i.e., if your state laws allow for damages for
false and deceptive spam), then the registrar has to provide the REAL
identity of the spammer, otherwise the registrar itself becomes liable!
Click here for a
sample letter to the registrar Demand Media (better known as eNom and
Bulk Register) that was successful... the registrar gave me the spammer's
real identity.

I use all of these tools together to
track them down. Following are a few
examples, as well as tricks that alleged spammers use to hide their websites,
and then some advanced techniques for tracing IP addresses. Note, I say “alleged” on this page because to
the best of my knowledge, no one has proven in Court that these parties are
spammers, or hire spammers, or enable spammers to sign up as affiliates, and
then obtained a judgment against them.

Example 1This is the easiest kind of spam to
trace – when the alleged spammer actually tells who they are.Just as an aside, the resume-blast spammers
really piss me off because they scrape email addresses from Hotjobs,
Monster, etc., which is an explicit violation of those websites’ terms of
service.

Here’s the spam from
WSACorp, as it appears in the inbox.

Don’t worry, I’ve
disabled the links.

Note that a visit to
the Kansas Secretary of State’s website confirms that address, but more on
that later.

From:
AHanson@WSACorp.comSent:
Tue 6/3/2003 12:49 PM

To:
[REDACTED]

Cc:

Subject: Your Resume Submittal?

Dear Job
Seeker,

I saw your resume
online and felt that my firm, WSACorp,
might be able to help you. I know how difficult this market can be for a
professional at your level. Recently, WSACorp
helped place a couple of people whose results I thought might be of interest
to you.

Dennis was a general
manager, downsized from his company during consolidation. He wanted to stay
in Colorado or Utah, but preferred not to be in Denver or Salt Lake City. He
selected WSACorp to write his resume and produce a
targeted mailing to 3,000 companies. Within 2 weeks, he accepted a position
at a 40% increase with a company in Logan, Utah. You can see his resume by
visiting WSACorp.com.

Jayne was a consultant
with a sales and marketing background earning $175K. WSACorp
mailed 3,800 letters. She had 20+ calls and accepted a $300K package offer
from a major US corporation. You can see her resume by visiting WSACorp.com.

These are only 2
examples of our recent success, but you can see many more by visiting our
Website at www.wsacorp.com.

If you wish to
accelerate your job search, perhaps you should take advantage of WSACorp's offer to provide you a NO OBLIGATION resume
critique and market evaluation. We have been writing resumes since 1976,
and we are in-tune with the current market conditions. Don't delay. This time
of year generally provides a bubble of hiring that you do not want to miss.
To quote Dennis, "I wish I had started doing this
20 years ago."

Give me a call or send
me an email, and I will be happy to set a time to have you visit with one of
our Senior Advisors for your free resume critique.

Sometimes it’s not quite as
obvious, especially in graphical spams that come from
gibberish email addresses, or at any rate email addresses that do NOT match the
merchant or even the sender. Then you
need to look at the HTML source code and/or the message headers to see what the
links/domains really are.

Here’s the spam as
it appears in the inbox.

Don’t worry, I’ve
disabled the links.

Note the long text at
the bottom beginning with “You are receiving…”.If this were a legitimate email, that text
would have been sent AS text.What
spammers are doing now is sending the text as a graphical image.That way, a text-based filter that would
have automatically trashed any email with text like “you have opted-in to
receive” won’t work.

From:
randyu10d@email.com.cnSent:
Fri 5/2/2003 6:21 PM

To:
Undisclosed.Recipients@oracle.icm.co.kr

Cc:

Subject:
print cartridges, 8o% off today.e

Next, I look at the
email headers.Sometimes they’re
revealing.But here, as you can see,
it’s from a nonsense email address that doesn’t immediately tell you who the
sender or the beneficiary of the spam actually are.

“.cn” means China, incidentally. You could create a filter in Outlook that
automatically trashes any email with a .cn in it
and you’d be pretty safe.

by mta121.mail.scd.yahoo.com with SMTP; 04
May 2003 09:27:31 -0700 (PDT)

Received:
from www.email.com.cn ([61.82.164.173])

by oracle.icm.co.kr (8.11.6/8.11.6)
with ESMTP id h4327W402643;

Sat, 3 May 2003 11:07:37 +0900

Message-ID:
<0000111b31c8$000048a2$000041a2@www.email.com.cn>

To:
<Undisclosed.Recipients@oracle.icm.co.kr>

From: randyu10d@email.com.cn

Subject:
print cartridges, 8o% off today.e

Date:
Fri, 02 May 2003 18:21:15 01700

MIME-Version:
1.0

Content-Type:
text/html;

charset="iso-8859-1"

Content-Transfer-Encoding:
quoted-printable

X-Priority:
3

X-MSMail-Priority:
Normal

X-Mailer:
AOL 5.0 for Windows sub 138

Sensitivity:
Normal

X-MimeOLE: Produced By Microsoft MimeOLE
V5.50.4522.1200

Next, look at the
html source code.There has to
be a link in here… look for whatever follows “<A HREF=”.That indicates where the link points… i.e.,
the spammer’s website.Note that
you’ll sometimes see “<IMG SRC=”.That
indicates the server for the images (see next example), which may or may not
be the same… particularly in the case of affiliate programs.

Anyway, in this
simple case, Ignore everything after the .com… the destination website is
www.34bolohouse.com.

But alleged spammers
are doing tricky things these days to disguise the website identification…
see “Spammer Tricks” towards the end of this page.

Now it’s time for a WhoIs lookup.I
usually start with Network Solutions or AllWhoIs, since they can often grab registration
information from other registrars’ databases.See sample to the right:

If Network
Solutions doesn’t have the
information or if it doesn’t accept the code entry – which often happens –
then tryInternic.That site won’t have the registration
data but it will tell you who the registar is –
spammers often use bulkregister, dotster, enom, godaddy, and tucows.Then go that
that website and do a WhoIs lookup.

The WhoIs lookup will tell you the domain name you just
searched on (34bolohouse.com), who the registar is
(10-Domains.com); and phone number/address/email.Often the address is fake and/or a PO Box
at The UPS Store (formerly Mailboxes Etc.).You can check that at
http://go.mappoint.net/ups/PrxInput.aspx

You should forward a
copy of the spam to abuse@[registar.com] and tell them that the domain holder
is a spammer and the domain name should be cancelled.I’ve done this successfully a couple times.

Incidentally, get
used to seeing Florida in WhoIs lookups… I think
about 2/3 of my domestic spam is from Florida.As an aside, one great way to stop
the spam problem would be to cut all Internet connections to the Sunshine
State.Too bad we probably can’t do
that.

The
Data in Parava Networks' WHOIS database is provided
by Parava Networks for information purposes,
and to assist persons in obtaining information about or related to a domain
name registration record. Parava Networks does
not guarantee its accuracy. By submitting a WHOIS query,
you agree that you will use this Data only for lawful purposes and that,
under no circumstances
will you use this Data to: (1) allow, enable, or otherwise support the transmission
of mass unsolicited, commercial advertising or solicitations via e-mail (spam);
or (2) enable high volume, automated, electronic processes that apply to Parava Networks
(or its systems). Parava Networks reserves the
right to modify these terms at any time. By submitting this query, you agree to abide by this
policy.

Finally, go to the Secretary of State website for
whatever state you’ve determined the spammer is located in and search on the
business name.

If you can’t find a business name on the WhoIs lookup, sometimes you can go to the website and
click links like “Contact,” “About Us,” or even “Privacy” or “Legal” – and sometimes
you’ll see a company name that you can find with the Secretary of
State.

Often the Secretary of State website has good (i.e., not
UPS Store) addresses for the business.More importantly, they have addresses for Registered Agents.When suing an alleged spammer (or any
corporate entity for that matter), you can have papers served on the Registered
Agent instead of the alleged spammer.

Sometimes, even when it’s an alleged spammer acting on behalf of a
principal, you can find the URL for the principal right in the HTML source
code.As you can see in the html code, even
though the alleged spammer routes you back through his own website (for
tracking/commission purposes), the email serves up images hosted on the
principal’s server – expertsatellite.com.

Name Server.......... DNS1.CYBERXHOST.NET
Name Server.......... NAME2.CYBERXHOST.NET

The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than Network Solutions.
Network Solutions, therefore, does not guarantee its
accuracy or completeness.

Look up Ultimate
Corner with the MO Secretary of State and you find full legal information.

not starting subject line
with “ADV:”, 2) continuing to send spam
even after I notified them to stop, and 3) increasing the rate of spamming
after I unsubscribed via weblink and their own systems confirmed I would be
removed from their database.

Here’s the HTML
source code for the email.Note that
emailselections.com appears here too… and the numbers & codes that follow
the domain name – which I redacted here – are what the alleged spammer uses
to track YOU specifically.

The alleged spammer
is routing the click through the emailselections.com website to put an
affiliate tracking code on your click… in other words, when you click the
link it redirects you though emailselections.com, adds an affiliate ID, and
then sends you to the principal’s website.So you might not know who the principal beneficiary is…

Except…

Also in the code is
the URL for the principal – expertsatellite.com.The “imgsrc=” just before it means that the email is grabbing the
image from the expertsatellite.com servers, instead of the spammer hosting
the images himself.

The point is, you now know who’s benefiting from the spam… the
“principal.”

</html><P><FONT
size=2><FONT face=Verdana>If you do not wish to receive
special presents from our affiliates in the future, you may delete your email
from our list by <a href="http://emailselections.com/unsub.php?e=[REDACTED]&m=[REDACTED]">clicking
here</a> <FONT color=#000000><P/>

One last thing.Sometimes you want to look at the domain name
servers in the WhoIs lookup.It often reveals interesting information on
who else is involved in the spamming – either directly or indirectly.“Indirectly” in this context might mean the
marketer who runs the website for a non-technologically-sophisticated company.The marketer who possibly contracted out to do an email blast to (allegedly)
opt-in consumers.

</html><P><FONT
size=2><FONT face=Verdana>If you do not wish to receive
special presents from our affiliates in the future, you may delete your email
from our list by <a href="http://emailselections.com/unsub.php?e=[REDACTED]&m=[REDACTED]">clicking
here</a> <FONT color=#000000><P/>

Here’s the WhoIs lookup.The
registrant is Crown Foods, which can be traced through the Missouri Secretary
of State website, coming right up.

But look at the
bottom: the domain servers are “epointmarketing.com.”What that means is, Crown Foods may own the
domain name “steaksofstlouis.com” but you wouldn’t necessarily expect a food
company to be very tech-savvy.It
looks like Crown Foods allows the www.steaksofstlouis.com website to be
hosted by epointmarketing.Let’s go find ‘em.